William Blake—the poet who wrote “to hold infinity in the palm of your hand”—would be speechless at how his words manifest in today’s age. Technology has thrust the app-loaded phone, with its infinite possibilities, in our hands. It can perform myriad tasks like a genie.
The other day, I was making a list of things this magnificent digital ecosystem cannot provide. The foremost would be security. Security breaches involve capturing confidential data and manipulating it. What affects the vast majority of users is financial fraud. Some are now targeting users of the Unified Payments Interface (UPI). Recent reports suggest that financial frauds accounted for three-fourths of all cybercrimes in India between January 2020 and June 2023.
More often than not, business entities can secure their trade secrets and safeguard themselves from data theft. This is not the case for individual users who are being increasingly targeted with pervasive and pernicious attacks. Phishing, vishing, smishing, watering holes, refund scams, form jacking, SIM swapping—the classification of these scams is an ongoing enterprise.
Users are told not to share passwords and OTPs, and not to click on embedded and unknown links. But just when users are forewarned of a particular method of attack, a new and stealthier one emerges. Take the QR code scam. It has all the trappings of a legitimate transaction. Sellers who use online platforms are sent an innocuous QR code by an alleged buyer to receive money. When they scan the code, they may find that their bank account has been emptied.
I have experienced a variant of the QR code scam. I had scanned my phone to make a payment via Google Pay at an eatery. This was the only time I did so. The next day I found that three messages had been sent from my phone to three different, unknown numbers authorising transactions on G-Pay. I had not sent the messages; I asked a tech-savvy colleague for advice. He suggested that I delete my G-Pay account from the phone, remove the SIM card and use it from another device. According to him, the phone’s security had been compromised. I checked on True Caller the numbers to which the messages had been sent and realised that what had happened to me had been reported by other users almost two years earlier. I added a few more bytes to the existing spam reports, thanking my stars that I had suffered no monetary loss. What was surprising was that while these scamsters had been identified and called out in public, they continued to operate with impunity.
As the ease of transaction increases, vulnerability to exploitation increases manifold. A welcome recent change is that when a message is received from an unknown number, WhatsApp warns the user that such a number is not on the contact list and that the profile name and photo are not verified. This is a useful alert and should raise a doubt in the mind of the targeted user.
Some ten districts in our country have been identified as places from which organised gangs operate and target users of digital services. These gangs exploit technically skilled and unemployed youngsters to their advantage. They are con artists who can deprive people of their hard-earned money in a flash. Concerted attempts must be undertaken to break the nexus between such gang leaders and the youth they train and employ.
That gets me thinking on the entire process. There is a limit on the amount one can withdraw through various modes including ATM. The National Payments Corporation of India has set limits for UPI transactions. Individual users should also be encouraged to fix withdrawal limits, as it will save them from extensive damage. Today, even an attempt to log out of social media invites solicitous checks on whether you really wanted to exit when you could just temporarily mute the app. In our AI-mediated ecosystem, when suspicious activity is detected, the customer should rightfully be informed of the stakes before the transaction is completed.
There is a related issue worth considering. The Deposit Insurance and Credit Guarantee Corporation ensures protection cover for bank deposit holders in the event of a failure of insured banks. This can serve as a model. Given that UPI is extensively used today, protection from loss by fraud could be made available to users for a reasonable fee.
Educating on the need for using safe practices while performing digital transactions should be included in efforts to achieve financial inclusion and literacy. Emerging methods of identifying suspicious transactions should be documented and given wide publicity. Most importantly, users should be trained to develop a healthy suspicion towards those who solicit information online and offer get-rich-quick schemes. It is necessary to remember that greed, gullibility and folly feed on one another.
Geetha Ravichandran
Former bureaucrat and author most recently of The Spell of the Rain Tree